Ok, I got it to work, but I don't think this is a good solution.
I simply set CASValidateServer Off. I am sure this is not a solution for a
production environment.
Looking at the code function getResponseFromServer() I see a small section of
code that just gets skipped.
This is the code that generates the error message I see:
if(SSL_connect(ssl) <= 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "MOD_AUTH_CAS: Could
not perform SSL handshake with %s (check CASCertificatePath)",
c->CASValidateURL.hostname);
CASCleanupSocket(s, ssl, ctx);
return (NULL);
}
It looks as if SSL_connect() could return a variety ints, indicating why
openssl couldn't verify the connection. I may modify the code to display the
what SSL_connect() actually returned.
Thanks,
Bryan Wooten
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
-----Original Message-----
From: Bryan Wooten [mailto:[email protected]]
Sent: Wednesday, August 11, 2010 6:58 AM
To: [email protected]
Subject: RE:[cas-user] Hopefully my last mod_auth_cas question
Yes, I set CASAllowWildcardCert on.
The ulogin cert is signed by digicert which is signed by an entrust cert, a
chain. I've tried both the digicert and entrust separately as the CAScaroot.pem
I've also tried putting both of them in the pem file.
I am thinking that the neither the digicert or entrust cert are recognized by
apache / openssl as root certificates. I assume that apache has the equivalent
of a cacerts file somewhere where I can add my digicert and entrust cert.
Thanks for the assistance,
Bryan Wooten
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
-----Original Message-----
From: Smith, Matthew J. [mailto:[email protected]]
Sent: Tuesday, August 10, 2010 7:27 PM
To: [email protected]
Subject: RE:[cas-user] Hopefully my last mod_auth_cas question
Bryan-
A quick perusal via " openssl s_client -connect ulogin.utah.edu:443" shows
that the CAS server is using a wildcard certificate, so please try setting
"CASAllowWildcardCert on".
Next, I see your CAS server using a digicert.com signed certificate. Using
"openssl x509 -in c:/kronos/apache/conf/ssl/casCARoot.pem -text" can you verify
that your casCARoot.pem file is indeed a digicert root certificate?
And lastly, does your Apache server have rights to read the pem file (and
traverse its parent directories)?
HTH,
-Matt
Matthew J. Smith
University of Connecticut UITS
[email protected]
________________________________________
From: Bryan Wooten [[email protected]]
Sent: Tuesday, August 10, 2010 1:23 PM
To: [email protected]
Subject: [cas-user] Hopefully my last mod_auth_cas question
My apache server (running on Windows server 2008) has a valid signed cert as
does our cas server, but I am getting this error in the apache error_log:
[Tue Aug 10 11:15:42 2010] [error] [client 128.110.140.67] MOD_AUTH_CAS: Could
not perform SSL handshake with ulogin.utah.edu (check CASCertificatePath)
My cas.conf file has this line:
CASCertificatePath c:/kronos/apache/conf/ssl/casCARoot.pem
The casCARoot.pem has 2 certs in it, they are chained.
Thanks in advance for any help,
Bryan Wooten
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
